1. Field
Embodiments of the present invention generally relate to network security. In particular, embodiments of the present invention relate to application-level content processing of network service protocols using a firewall.
2. Description of the Related Art
Security threats have evolved dramatically over the past 10 years, moving from network-level, connection-oriented attacks to application-level, agent-based attacks. Conventional networking devices (firewalls) can deal with network-level packet processing; for example, conventional firewalls can stop packets that do not come from a valid source, and VPN gateways can encrypt packets on the fly, making it safe for them to traverse the Internet.
But today's critical network threats, like viruses and worms, are embedded in the application-level contents of packet streams. Enormous processing power is needed to detect and stop these application-layer threats by extracting the content from multiple packets, reconstructing the original content, and scanning it for the telltale signs of attacks or for inappropriate content.
A firewall is typically implemented as a hardware/software appliance having a number of physical networking interfaces for the incoming and outgoing network traffic. Firewalls can be software-implemented and installed on a stand-alone computer, or they can be full-blown hardware appliances placed in a network to filter traffic going between multiple computers and/or the Internet. Network traffic enters one of these interfaces and, after filtering and other appropriate processing, is routed to a remote host typically attached to a different physical interface.
In a firewall, processing of network traffic is performed in accordance with a set of specific rules, which collectively form a firewall policy. The firewall policy dictates how the firewall should handle network traffic associated with specific applications such as web browsers, email or telnet. Exemplary rules include filtering of banned words, blocking specific URLs, blocking transmission of specific file types, antivirus scans, blocking of spam, etc. The firewall policy is usually created by the network administrator and is based on the information security policy of the respective organization.
Conventional firewalls were capable of blocking traffic at the packet level but were not intelligent enough to examine the content of those packets and to protect against application-layer threats. Modern firewalls have the ability to examine the content of various network traffic streams and appropriately react to threats transferred within the content of the traffic stream. With the growth of these abilities of the firewalls, there has also been a growth in the number of options and settings that an administrator would need to configure to ensure a secure network.
Many existing firewall systems use global configuration settings, such as global lists of URLs to block, lists of spam addresses, options to scan for viruses, spam, and others similar parameters. These settings are applied globally to all policies within the firewall.
This approach, however, does not provide much flexibility to the administrator. For example it may be desirable to block general staff members of an organization from accessing certain websites that don't necessarily contain objectionable material but may be a work distraction. On the other hand, staff managers may not need to be restricted from accessing the same websites. Using global configuration options to enable the above firewall configuration presents a difficult task. In other words, the existing firewall systems, which are often configured using global settings, tend to apply the same firewall configuration scheme to all the network content passing through the firewall.
Therefore, what is needed is a firewall system providing a flexible and effective control over configuration parameters applied to filtering and/or processing of various network content. Such a system would achieve an optimal content processing performance without compromising the security of the protected network.